Skype account hijacking

It looks like Skype has another big hole in their security. This one allows you to hijack any Skype account and read history in case you know skype login (account name) and e-mail of a person. It is interesting that this issue was posted to Skype support a while ago, but nothing were done since then.

Below is an algorithm reproducing the hijack of some account:

  1. You need to know Skype and corresponding e-mail address
  2. Register new Skype account using e-mail address from #1. You’ll got message that it is already in use – just ignore that and fill in the form further.
  3. Log in into new profile and add new e-mail (one you own) as additional.
  4. Log in to Skype client application
  5. Delete cookies, navigate to forgot password page and use e-mail from #1.
  6. Marker should be sent to e-mail, but e-mail isn’t sent skype client notification pop ups instead.
  7.   Marker notification popupMarker link image
  8. Navigate by the link, you can see e-mail from #0 and all logins regstered for this e-mail, in the list you can see your login added in #2
  9. Now you can choose ANY login and change password

For now the only way to defend your account from hijacking is to register new e-mail address that was never disclosed to anyone and change the main e-mail address of the Skype account on Skype web site.
Attention! You cannot change main e-mail address in Skype client, only in Skype web site.

Discussion in Russian (http://habrahabr.ru/post/158545/)

Source in Russian (http://forum.xeksec.com/skype.html#post98725)

Update

Eventually gizmodo published the news.

Skype officially stated: “We have had reports of a new security vulnerability issue. As a precautionary step we have temporarily disabled password reset as we continue to investigate the issue further. We apologise for the inconvenience but user experience and safety is our first priority”.

It is funny since person who found this hole, contacted Skype support 2 months ago and nothing were done.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s